DVWA系列---Brute Force暴力破解

- 日理万妓 2023-07-01 10:56 4阅读 0赞

### 文章目录 ###

*   *  一、low级别
     *  二、medium级别
     *  三、high级别
     *   *   *  Token简述

实验使用bp进行抓包暴力破解，并提前写好账号密码字典。

## 一、low级别 ##

安全措施：**无任何防护措施**

1、使用bp抓包  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70]  
2、发送至intruder并添加参数，选择形式  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 1]  
3、增加线程后，实施攻击  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 2]  
根据响应长度，判断出正确账号密码。

**（查看源代码）**

<?php
 
 if( isset( $_GET[ 'Login' ] ) ) { 
 // Get username
 $user = $_GET[ 'username' ];
 
 // Get password
 $pass = $_GET[ 'password' ];
 $pass = md5( $pass );
 
 // Check the database
 $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
 
 if( $result && mysqli_num_rows( $result ) == 1 ) { 
 // Get users details
 $row = mysqli_fetch_assoc( $result );
 $avatar = $row["avatar"];
 
 // Login successful
 echo "Welcome to the password protected area { $user}";
 echo "<img src=\"{ $avatar}\" />";
 }
 else { 
 // Login failed
 echo "<pre> Username and/or password incorrect.</pre>";
 }
 
 ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
 }
 
 ?>

## 二、medium级别 ##

安全措施：**添加登录失败休眠操作**

与low级别方法相同，只不过比较耗时。  
![在这里插入图片描述][2020012114322244.jpg]  
结果：  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 3]  
**（查看源代码）**

<?php
 
 if( isset( $_GET[ 'Login' ] ) ) { 
 // Sanitise username input
 $user = $_GET[ 'username' ];
 $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
 
 // Sanitise password input
 $pass = $_GET[ 'password' ];
 $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
 $pass = md5( $pass );
 
 // Check the database
 $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
 
 if( $result && mysqli_num_rows( $result ) == 1 ) { 
 // Get users details
 $row = mysqli_fetch_assoc( $result );
 $avatar = $row["avatar"];
 
 // Login successful
 echo "Welcome to the password protected area { $user}";
 echo "<img src=\"{ $avatar}\" />";
 }
 else { 
 // Login failed
 sleep( 2 );
 echo "<pre> Username and/or password incorrect.</pre>";
 }
 
 ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
 }
 
 ?>

## 三、high级别 ##

安全措施：**加入Token预防CSRF，重定向**

![在这里插入图片描述][20200121150010822.jpg]![在这里插入图片描述][20200121145953712.jpg]

#### Token简述 ####

> **Token**：Token名为令牌，是在会话、登时每次都产生的一个特定格式的随机数，用于身份验证。

> 比如在本次high级别的登陆中，每次登陆后都会产生一个不同的token，而且该token是由服务器产生，将之发送给客户端，此后每次客户端访问数据，就避免了频繁地验证用户名密码，只需要验证token就可以了。

> token可以用于防护CSRF攻击，但是，token不可以预防暴力破解，因为每次会话的token都会发送至前端，只需要递归地在前端接收token作为下次访问的token值就可以实施暴力破解了。

1、当加入token后，直接对账号密码进行爆破，会产生302重定向  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 4]  
2、因此需要将token也添加为参数，并设置重定向参数。  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 5]  
3、在options中设置参数 Grep-Extract 用于获取每次的token  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 6]  
4、由于token的值是由服务器决定的，因此需要使用递归式获取token并将其作为新请求的token值，将token参数的载荷类型设置为递归获取，并将上一步最新获取的token值作为首次token  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 7]  
5、重定向设置为 always![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 8]  
6、开始攻击，发现报错，原因是递归式载荷不能使用多线程  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 9]  
7、将线程改为1  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 10]  
8、重新攻击  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 11]  
找到账户密码。

**（查看源代码）**

<?php
 
 if( isset( $_GET[ 'Login' ] ) ) { 
 // Check Anti-CSRF token
 checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
 
 // Sanitise username input
 $user = $_GET[ 'username' ];
 $user = stripslashes( $user );
 $user = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $user ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
 
 // Sanitise password input
 $pass = $_GET[ 'password' ];
 $pass = stripslashes( $pass );
 $pass = ((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $pass ) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : ""));
 $pass = md5( $pass );
 
 // Check database
 $query = "SELECT * FROM `users` WHERE user = '$user' AND password = '$pass';";
 $result = mysqli_query($GLOBALS["___mysqli_ston"], $query ) or die( '<pre>' . ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) . '</pre>' );
 
 if( $result && mysqli_num_rows( $result ) == 1 ) { 
 // Get users details
 $row = mysqli_fetch_assoc( $result );
 $avatar = $row["avatar"];
 
 // Login successful
 echo "Welcome to the password protected area { $user}";
 echo "<img src=\"{ $avatar}\" />";
 }
 else { 
 // Login failed
 sleep( rand( 0, 3 ) );
 echo "<pre> Username and/or password incorrect.</pre>";
 }
 
 ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
 }
 
 // Generate Anti-CSRF token
 generateSessionToken();
 
 ?>

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70]: https://img-blog.csdnimg.cn/20200121142251178.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 1]: https://img-blog.csdnimg.cn/20200121142325765.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 2]: https://img-blog.csdnimg.cn/20200121142416821.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[2020012114322244.jpg]: https://img-blog.csdnimg.cn/2020012114322244.jpg
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 3]: https://img-blog.csdnimg.cn/20200121143250427.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[20200121150010822.jpg]: https://img-blog.csdnimg.cn/20200121150010822.jpg
[20200121145953712.jpg]: https://img-blog.csdnimg.cn/20200121145953712.jpg
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 4]: https://img-blog.csdnimg.cn/20200121145454457.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 5]: https://img-blog.csdnimg.cn/20200121145329952.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 6]: https://img-blog.csdnimg.cn/20200121150311700.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 7]: https://img-blog.csdnimg.cn/20200121150522583.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 8]: https://img-blog.csdnimg.cn/20200121150632830.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 9]: https://img-blog.csdnimg.cn/20200121150504173.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 10]: https://img-blog.csdnimg.cn/20200121150732605.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw_size_16_color_FFFFFF_t_70 11]: https://img-blog.csdnimg.cn/20200121150746916.jpg?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQzOTY4MDgw,size_16,color_FFFFFF,t_70